50
Chapter 5. Server Security
5.3.4. Assign Static Ports and Use
All of the servers related to NIS can be assigned specific ports except for
rpc.yppasswdd
  the
daemon that allows users to change their login passwords. Assigning ports to the other two NIS server
daemons,
rpc.ypxfrd
and
ypserv
, allows you to create firewall rules to further protect the NIS
server daemons from intruders.
To do this, add the following lines to
/etc/sysconfig/network
:
YPSERV_ARGS=" p 834"
YPXFRD_ARGS=" p 835"
The following
iptables
rules can be issued to enforce which network the server will listen to for
these ports:
iptables  A INPUT  p ALL  s! 192.168.0.0/24
  dport 834  j DROP
iptables  A INPUT  p ALL  s! 192.168.0.0/24
  dport 835  j DROP
Tip
Refer to Chapter 7 for more information about implementing firewalls with iptables commands.
5.3.5. Use Kerberos Authentication
One of the most glaring flaws inherent when NIS is used for authentication is that whenever a user
logs into a machine, a password hash from the
/etc/shadow
map is send over the network. If an
intruder gains access to an NIS domain and sniffs network traffic, usernames and password hashes
can be quietly collected. With enough time a password cracking program can guess weak passwords,
and the attacker has a valid login on the network.
Since Kerberos using secret key cryptography, no password hashes are ever sent over the network,
making the system far more secure. For more about Kerberos, see the chapter titled Kerberos in the
Official Red Hat Linux Reference Guide.
5.4. Securing NFS
The Network File System or NFS is an RPC service used in conjunction with
portmap
and other
related services to provide network accessible mount points for client machines. For more information
on how NFS works, see the chapter titled Network File System (NFS) in the Official Red Hat Linux
Reference Guide. For more information about configuring NFS, refer to the Official Red Hat Linux
Customization Guide. The following subsections will assume basic knowledge of NFS.
It is recommended that anyone planning to implement an NFS server first secure the
portmap
service
as outlined in Section 5.2, then address following issues.
5.4.1. Carefully Plan the Network
Because NFS passes all information unencrypted over the network, it is important the service be run
behind a firewall and on a segmented and secure network. Any time information is passed over NFS an
insecure network, it risks being intercepted. Careful network design in these regards can help prevent
security breaches.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

web hosting comparison

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved